CVE-2025-11849

CVE-2025-11849 is a directory traversal vulnerability (CWE-22) affecting versions of the Mammoth DOCX-to-HTML conversion library prior to 1.11.0, including those from 0.3.25 and earlier. The issue impacts multiple implementations, such as the JavaScript package mammoth, the .NET package mammoth, and the Java package org.zwobble.mammoth:mammoth. It arises from insufficient path and file type validation when processing DOCX files containing images with external links via the r:link attribute rather than embedded r:embed content. The library resolves the external URI to a local file path, reads the file, encodes its contents as base64, and embeds it in the output HTML as a data URI.

An attacker can exploit this vulnerability by crafting a malicious DOCX file with an image external link pointing to an arbitrary file path or special device files like /dev/random or /dev/zero. Exploitation requires a user to process the DOCX using a vulnerable Mammoth instance (UI:R), such as in a web application or document converter service, with no privileges needed (PR:N) and low complexity (AC:L). Successful attacks enable arbitrary file reads on the host system where conversion occurs (C:H) or excessive resource consumption leading to denial of service (A:H), with a scope change (S:C) due to the embedded data URI output. The CVSS v3.1 base score is 9.3.

Advisories from Snyk detail the vulnerability across JavaScript (SNYK-JS-MAMMOTH-13554470), .NET (SNYK-DOTNET-MAMMOTH-13561968), and Java (SNYK-JAVA-ORGZWOBBLEMAMMOTH-13561969) ecosystems, recommending upgrades to Mammoth version 1.11.0 or later. A fix commit in the mammoth.js repository (c54aaeb43a7941317c1f3c119ffa92090f988820) addresses the issue by adding proper validation. A proof-of-concept is available in a GitHub Gist demonstrating the traversal.